web analytics

Best Practices for Implementing a IS Awareness Program

Rate this post
  • In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place, or as a minimum benchmark for those with existing programs that require revisions to:
  • Meet PCI DSS requirements;
  • Address the quickly and ever-changing data security threat environment;
  • Reinforce the organization’s business culture.

Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success. A robust and properly implemented security awareness program assists the organization with the education, monitoring, and ongoing maintenance of security awareness within the organization.

This guidance focuses primarily on the following best practices:

  • Organizational Security Awareness: A successful security awareness program within an organization may include assembling a security awareness team, role-based security awareness, metrics, appropriate training content, and communication of security awareness within the organization.
  • Security Awareness Content: A critical aspect of training is the determination of the type of content. Determining the different roles within an organization is the first step to developing the appropriate type of content and will also help determine the information that should be included in the training.
  • Security Awareness Training Checklist: Establishing a checklist may help an organization when developing, monitoring, and/or maintaining a security awareness training program.

The information in this document is intended as supplemental guidance and does not supersede, replace, or extend PCI DSS requirements. While all references made in this document are to PCI DSS version 3.0, the general principles and practices offered here may be applied to any version of PCI DSS.

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post